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Case Studies 

We are engaged in a research program in safety-critical 
computing that is based on two case studies. We use these 
case studies to provide application-specific details of the 
various research issues, and as targets for evaluation of 
research ideas. 

The first case study is the Magnetic Stereotaxis System 
(MSS), an investigational device for performing human 
neurosurgery being developed in a joint effort between the 
Department of Physics at the University of Virginia and the 
Department of Neurosurgery at the University of Iowa. 

The system operates by manipulating a small permanent 
magnet (known as a “seed”) within the brain using an exter- 
nally applied magnetic field. By varying the magnitude and 
gradient of the external magnetic field, the seed can be 
moved along a non-linear path and positioned at a site 
requiring therapy, e.g., a tumor. The magnetic field required 
for movement through brain tissue is extremely high, and is 
generated by a set of six superconducting magnets located 
in a housing surrounding the patient’s head. The system 
uses two X-ray cameras positioned at right angles to detect 
in real time the locations of the seed and of X-ray opaque 
markers affixed to the patient’s skull. The X-ray images are 
used to locate the objects of interest in a canonical frame of 
reference. 

The second case study is the University of Virginia 
Research Nuclear Reactor (UVAR). It is a 2 MW thermal, 
concrete-walled pool reactor. The system operates using 20 
to 25 plate-type fuel assemblies placed on a rectangular grid 
plate. There are three scramable safety rods, and one non- 
scramable regulating rod that can be put in automatic mode. 
It was originally constructed in 1959 as a 1 MW system, 
and it was upgraded to 2 MW in 1973. Though only a 
research reactor rather than a power reactor, the issues 
raised are significant and can be related to the problems 
faced by full-scale reactor systems. 

Safety Kernel 

The software in systems like those in our case studies is 
veiy large and complex. We assume that, because of this 
size and complexity, faults will remain in the software for 
an application after development. An approach we are pur- 
suing to deal with this is a software architecture termed a 
safety kernel , a concept directly analogous to the security 
kernel used in security applications. 
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A security kernel provides assurance that a set of security 
policies is enforced independently of the application pro- 
gram. Verification of the security kernel is sufficient to 
ensure enforcement of those policies encapsulated within 
the security kernel. The application program need not 
enforce the security policies, and it can, in fact, undertake 
actions that would normally lead to violation of the security 
policies with no danger of actual violations taking place. 
The similarity between security concerns and safety con- 
cerns is considerable and the concept of a safety kernel is 
appealing. If the concept were feasible, a safety kernel 
would enforce a set of safety policies by monitoring 
requests to devices, device actions, device status, applica- 
tion software status, and so on. 

We have developed an enforcement safety kernel and inte- 
grated it into our MSS implementation. The safety kernel is 
generated automatically from a formal specification of the 
safety policies, and tests of the MSS instantiation show 
excellent performance. 

Testing 

Systems of this complexity pose significant challenges in 
the area of testing, especially in the large number of possi- 
ble test cases. We are using a technique that we call specifi- 
cation limitation to permit demonstration of useful 
properties by exhaustive testing. By specification limitation 
we mean that the specification for the application is deliber- 
ately limited in several areas to restrict the total number of 
test cases. For example, in the MSS the angles entered by 
the operator for the required direction of motion are 
rounded to 1/10 of a degree. In practice, this is not a signifi- 
cant functional restriction but it permits exhaustive testing 
of the angles used for setting direction. The same approach 
is used with distance. 

A second significant problem in testing complex systems is 
correctness determination, i.e., determining whether the 
outputs are correct. In our MSS implementation, we have 
addressed this problem by the use of reversal checks on the 
entire system. A reversal check computes a program’s input 
from its output and compares this with the actual input. The 
current calculations for the superconducting coils, for 
example, begin with a required force and are very complex. 
Computing the force resulting from the coil currents, how- 
ever, is simple and provides the exact inverse of the current 
calculations. Thus the input can be computed and com- 
pared. A variation on the idea of a reversal check is also 
used by the MSS imaging subsystem. 
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AFETY Kernel Concept \ ( Some Of The MSS Safety Policies 
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Major Safety Kernel Issues A f System Design 
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MSS Testing Architecture \ f MSS Test Case Selection 
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Has No Effect On System Utility 

Permits Significant Statistical Samples If Not Exhaustive 
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